Press play to listen to this article
Hacken was a thriving cybersecurity firm, putting the skills of Ukraine’s gifted young ethical hackers to good use in securing the country’s networks against threats.
Then the war started.
Overnight, the Kyiv-based firm turned into one of Ukraine’s most active hacking groups, designing cyberweapons and launching attacks on Russian critical infrastructure in an effort to disrupt Moscow’s invasion of Ukraine.
“We have very strong IT engineers and cybersecurity experts. And all of them, right now, they are united like never before,” Dmytro Budorin, Hacken’s chief executive officer, said in an interview. “This is going to be, by far, the strongest cyber army in the world.”
Hacken is not alone. Ukraine’s cybersecurity community members have organized themselves on private-messaging channels to conceive and coordinate campaigns designed to put stress on Russia’s ruler Vladimir Putin, entice ordinary Russians to rebel against the war and bring down some of the country’s essential services.
Those groups include one run by Yegor Aushev, who co-founded Hacken and now runs Cyber Unit Technologies, a Ukrainian cybersecurity company. Aushev told Reuters he was contacted by the Ukrainian defense ministry in the first hours of Russia’s invasion to organize offensive and defensive teams of cyber experts to support the country during the war. Roman Zakharov, another IT executive who’s involved in organizing Ukraine’s cyber volunteers, described the groups as “a self-organizing swarm” to the Associated Press earlier this month.
President Volodymyr Zelenskyy’s government has supported and directed the effort. At the start of the conflict, Ukrainian digital minister Mykhailo Fedorov called for the creation of an “IT army.” Ever since, government officials have been instructing cyber volunteers on secure messaging groups and showing off their successes on public channels like Telegram’s IT Army of Ukraine.
“It works very well. Everybody is communicating. Everybody is coordinating,” Budorin said about the effort. “People who want to hack, who have some skills, they come for example to us and we understand what they can do and we give them tasks. And we speak with officials and they coordinate [with] us in terms of what we should be doing. Once we have results we report it to them.”
To the West, Ukraine’s hacking collectives present a paradox as well as a unique challenge. The groups in effect look and act much like the shady actors that have been operating out of Russia for years, plaguing Western governments with everything from ransomware attacks on critical infrastructure to espionage in government networks.
The difference is that this time, Western governments sympathize with the hackers’ cause.
Hacken launched in 2017 as a project aimed at tapping into Ukraine’s rich vein of IT engineers. The country’s tech sector is growing by 25-30 percent annually and the number of IT specialists has doubled in the past three years, a 2021 industry survey showed.
In just a few years Hacken turned the entrepreneurial spirit and young enthusiasm of its employees and community of hackers into a thriving business, offering consultancy services like audits, penetration-testing and threat-modeling to clients in the U.S., Canada, Germany, China and elsewhere.
“Ukraine was the brains of the Soviet Union … Our competitive advantage is our math skills,” Budorin told POLITICO in an interview in 2019 at the firm’s offices, then located in a hyper-modern skyscraper in Kyiv called the Parus Business Center.
For years, Hacken created an image and brand that toyed with the edginess of cybersecurity. Its meeting rooms were painted pitch black, and its employees sported black hoodies. Its merchandising included T-shirts with its logo — in gimmicky techno-font letters — and a slogan saying, “Let me hack it for you.”
It was a firm that not only played with the reputation of being close to the hacker underground, it also thrived within Ukraine’s IT community and culture, which for years has helped engineers excel at cybersecurity. Some, if not many, of Ukraine’s cybersecurity experts dabbled in gray-zone hacking and flat-out illegal cybercrime activities. In fact, the country’s authorities, together with EU and U.S. agencies, conducted a series of bust-ups of high-profile ransomware gangs between October and January.
When Russian tanks rolled into Ukraine last month, the community of engineers around Hacken found another target for its attention: Moscow’s infrastructure.
“Everybody was looking for the opportunity of how we can help in this situation. Our role was to identify how we could help and direct the energy of our team and our community,” Budorin said.
Hacken deployed tools to target Russian websites with avalanches of traffic to make them unavailable. It rewrote its disBalancer software, initially designed to stop such distributed denial-of-service (DDoS) attacks, and turned it into a stronger, offensive tool called Liberator, which can also be used by others to launch attacks on Russian websites.
The group has also launched attacks on Russian propaganda websites and scanned popular mobile applications for vulnerabilities, seeking to take control and spread messages calling for an end to the war and discouraging Russians from joining and supporting their country’s military operation.
“The first message is to mothers,” said Budorin, explaining how Hacken has spread messages debunking Russian narratives and building up popular opposition against the invasion, trying “to push people to take to the streets and to show that the Putin regime is about to fail.”
Both Hacken and Aushev’s Cyber Unit Technologies have also launched “bug bounty” programs, encouraging engineers to report vulnerabilities in Russian digital services to pass on to skilled cyber attackers to use in bringing down infrastructure.
In the case of Hacken, it asked its community to look for glitches in services including telecoms, banks, energy firms, transportation and logistics companies and retail companies. “We will pass this information to Ukrainian cyber forces for execution,” the appeal said.
It’s hard to judge the success of the group component of the “IT army,” in part because claiming successes in compromising Russian infrastructure can be part of a strategy to throw Moscow’s military command off-guard.
Ukraine’s hacktivists “currently create the highest ‘noise’ in the cyberspace around the conflict, but not always the highest damage,” a recent report by Check Point said. Some of the highest-profile claims of successful hacks so far include a data dump of personal data of 120,000 Russian soldiers and a hack of Russia’s space agency — something Russia denied happened.
Not everyone agrees with the groups’ tactics.
“What they’re doing, essentially, is [violating] everything that bug bounty programs stand for. Bug bounty programs are supposed to do the opposite, and serve as conduits to help fix vulnerabilities,” said Stefan Soesanto, senior researcher at the Center for Security Studies at ETH Zurich. “They’re not supposed to give vulnerabilities to parties engaged in international armed conflict and they should never help anybody target civilian infrastructure.”
No rules in wartime
Hacken’s pivot means the firm has become a de facto offensive-hacking unit, carrying out cyberattacks on foreign targets at the instruction of the Ukrainian government — and even at will.
“This is not some kind of grassroots protest kind of thing. It’s really a directed military operation,” Soesanto said.
Ukraine’s hacking groups that have sprung up in the past few weeks resemble state-backed or state-condoned groups that have been operating from Russian territory for years. Those wide, ragtag groups of Russian hackers have been Western governments’ bane for years, attacking critical industries like energy firms and banks with ransomware, conducting disruption campaigns in national elections, and breaking into governments’ systems to spy on them.
In response to Russia-based hacking, diplomats in Europe, the U.S. and allied countries have maintained a clear stance in international forums like the United Nations, the Council of Europe and elsewhere, calling Moscow out for being complicit in the attacks and allowing these groups to operate from its soil. Cybersecurity ambassadors have pushed to draw red lines on such cyber-offensive operations.
Generally speaking, intelligence agencies’ cyber espionage is considered fair game, but any acts disrupting a country’s critical infrastructure, sabotaging governments, condoning cybercrime or harming fundamental rights to privacy and human rights are considered off-limits by a widely endorsed report drafted by the U.N. back in 2015.
The problem now is how the West reacts to Ukraine’s overt, brash cyber campaigns targeting Russian infrastructure.
According to Heli Tiirmaa-Klaar, Estonia’s former ambassador-at-large for cyber diplomacy, “we have to differentiate between peacetime and wartime really clearly.”
During peacetime, “international law is setting clear limits. [It] is saying what countries can do and what countries cannot do,” Tiirmaa-Klaar this month told an online audience at the ESMT business school in Berlin, where she now teaches. “There are different tools that apply to wartime … as long as they are strictly limited to military purposes and do not harm civilian infrastructure,” she added.
Ukraine’s volunteer cyber groups are causing some concern in Europe for two principal reasons. The first is that it becomes very hard to officially attribute which states are conducting which operations when such groups are only loosely directed by state officials. The other is that Ukraine’s actions in cyberspace could trigger Russia to unleash its own hacking groups, including aiming them at Western targets — an escalation that, Europe fears, will draw EU and NATO states into the conflict.
Hacken’s setup makes its own actions all the riskier. The firm has its official headquarters in Tallinn, where it set up a legal entity in 2017 — but the whole team, some 50 people, is currently operating from Spain for security reasons, Budorin said, meaning the Spanish state is allowing a group to conduct cyberattacks on Russia from its territory.
These links to EU and NATO countries again raise questions of what the West is willing to condone from Ukrainian hacking groups in the armed conflict.
According to Budorin, Ukraine’s online warriors are sticking to ethical guidelines to keep control of the cyber-offensive aspects of their work and limit data privacy and security risks for potential victims of their attacks.
“We have all the proper procedures. All the vulnerabilities and bugs that we receive, the access to them is only with us and [with] relevant authorities,” he said. “But if we speak about responsible disclosure — come on, we are in the war, we are defending our country. We do what we got to do.”
This article is part of POLITICO Pro
The one-stop-shop solution for policy professionals fusing the depth of POLITICO journalism with the power of technology
Exclusive, breaking scoops and insights
Customized policy intelligence platform
A high-level public affairs network